Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
EVA: a framework for network analysis and risk assessment
LISA'09 Proceedings of the 23rd conference on Large installation system administration
WCIS: a prototype for detecting zero-day attacks in web server requests
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
| Hi-index | 0.00 |
Central to computer security are detecting attacks against systems and managing computer systems to mitigate threats to the system. Attacks exploit vulnerabilities in the system such as a programming flaw. Threats are vulnerabilities which could lead to an attack under certain circumstances. The key to the detection of attacks is discovering an ongoing attack against the system. Mitigating threats involves a continuous assessment of the vulnerabilities in the system and of the risk these vulnerabilities pose with respects to a security policy. Intrusion detection systems (IDS) are programs which detect attacks. The goal is to issue alerts only when an actual attack occurs, but also to not miss any attacks. The biological immune system provides a compelling model on which to base an IDS. This work adds the biological concepts of positive selection and collaboration to artificial immune systems to achieve a better attack detection rate without unduly raising the false alarm rate. Attack graphs assess the threat to the system by showing the composition of vulnerabilities in the system. The key issues with attack graphs are scalability to large networks, ease of coding new attacks into the model, incomplete network information, visualization of the graph and automatic analysis of the graph. This work presents an abstract class model that aggregates individual attacks into abstract classes. Through these abstractions, scalability is greatly increased and the codification of new attacks into the model is made easier when compared to the current approach that models each attack. Clustering of identical machines is used to reduce the visual complexity of the graph and also to increase scalability. Incomplete network information is handled by allowing "what if" evaluations where on administrator can hypothesize about the existence of certain vulnerabilities in the system and investigate their consequences. The patch management capability determines a mitigation strategy that optimizes the reduction of risk while maintaining a low cost. Unlike a vulnerability report, which only has a generic categorization of risk, this analysis uses the policy of the system to evaluate the risk. The resulting analysis is therefore linked to each system based on its system policy.